Update CHANGES and NEWS for the new release

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9842)

diff --git a/CHANGES b/CHANGES
index 3277a0dbd4ae5d2586910e08959ff48a4e09fae5..b4400d20ccf46cee56ab110febed08e396bac4be 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,18 @@
 
  Changes between 1.1.0k and 1.1.0l [xx XXX xxxx]
 
+  *) Fixed a padding oracle in PKCS7_decrypt() and CMS_decrypt(). In situations
+     where an attacker receives automated notification of the success or failure
+     of a decryption attempt an attacker, after sending a very large number of
+     messages to be decrypted, can recover a CMS/PKCS7 transported encryption
+     key or decrypt any RSA encrypted message that was encrypted with the public
+     RSA key, using a Bleichenbacher padding oracle attack. Applications are not
+     affected if they use a certificate together with the private RSA key to the
+     CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info
+     to decrypt.
+     (CVE-2019-1563)
+     [Bernd Edlinger]
+
   *) For built-in EC curves, ensure an EC_GROUP built from the curve name is
      used even when parsing explicit parameters, when loading a serialized key
      or calling `EC_GROUP_new_from_ecpkparameters()`/

diff --git a/NEWS b/NEWS
index a27090521b0e56321f52122e27c4a018fda07a60..3d6d5a6f23d3b4f51d0c460eeeca8e4b27b078ae 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,13 @@
 
   Major changes between OpenSSL 1.1.0k and OpenSSL 1.1.0l [under development]
 
-      o
+      o Fixed a padding oracle in PKCS7_decrypt() and CMS_decrypt()
+        (CVE-2019-1563)
+      o For built-in EC curves, ensure an EC_GROUP built from the curve name is
+        used even when parsing explicit parameters
+      o Compute ECC cofactors if not provided during EC_GROUP construction
+        (CVE-2019-1547)
+      o Use Windows installation paths in the mingw builds (CVE-2019-1552)
 
   Major changes between OpenSSL 1.1.0j and OpenSSL 1.1.0k [28 May 2019]